Configure Inline SSL Decryption Using GigaVUE-FM
This section describes how to configure inline SSL decryption using GigaVUE-FM.
Note: Before configuring, review Get Started with Inline SSL Decryption for pre-requisites and review Introduction to Inline SSL Map Workflows.
Inline SSL Configuration Workflow Steps:
|
Inline SSL Map Workflow Steps (for Flow B) :
|
Figure 119 | Select Inline SSL Configuration Workflow |
To configure inline SSL decryption:
- Access the workflow
- Go to Physical Nodes and select a GigaVUE‑HC1, GigaVUE-HC2, or GigaVUE-HC3.
- Complete the Inline SSL Configuration Workflow Steps.
- Complete the Inline SSL Map Workflow Steps (for Flow B) .
- After completing the set-up workflows, verify Your Maps.
- Click To Maps to verify the maps created by the workflow.
- For inline network ports, go to Inline Bypass > Inline Networks. Select the inline network port and click Edit. Under Configuration, select a traffic path of To Inline Tool. If using protected inline networks, disable Physical Bypass.
- Go to Workflows and select Inline SSL Configuration from the Inline GigaSMART Operations section.
- Set Up Keychain Password
- The first step in the Workflow is Keychain Password. Click Setup Keychain Password to configure a keychain password.
- The keychain password must be configured before installing certificates and keys. If the key has a passphrase, in order to install it, the keychain password and the passphrase must match.
- Enter the Password. Hover the mouse over the ? to review the password requirements. Confirm the password.
- Click Submit. The keychain password is setup.
- Set Up the Key Pairs
- Click Next. The next step in the Workflow is Key Store.
- Add a key pair:
- Click Add Key Pair to configure the primary signing certificate and private key. The primary CA re-signs certificates for servers that present a valid certificate.
- Enter an alias for the Key Pair. Click RSA or ECDSA for Key Type. Click PEM or PKCS12 for Type. Click one of Copy and Paste, Install from URL, or Install from Local Directory.
- Click OK. The Primary Key Pair is added and can be selected from the Key Pair drop-down menu.
- Still under Key Store, repeat the "Add a key pair" steps to configure the secondary signing certificate and private key.
- Set up the Signing Certificate Authority (CA)
- Click Next. The next step in the Workflow is Signing CA. Click Configure Signing CA.
- Map each of the key pairs installed to the Primary Root CA and Secondary Root CA.
- Click OK. The signing CA is configured.
- Set Up the Trust Store (optional)
- Click Next. The next step in the Workflow is Trust Store. No configuration is required if you use the default Trust Store.
- Set Up the inline SSL Policy Profile
- Click Next. The next step in the Workflow is Policy Profile. Click Create to configure an inline SSL profile. The profile specifies policy configuration, such as certificate handling and actions to take for the profile.
- Enter an alias for the profile. Under Policy Configuration, select a Default Action of Decrypt. Under Security Exceptions, select Decrypt or Drop.
- Under Whitelist/Blacklist, select Whitelist and Blacklist. Enter the paths to the files.
- Under Policy Rules, click Add a Rule.
- Select Category from the Rule drop-down menu. Select financial_services from the Category drop-down menu. Add another rule.
- Select Category from the Rule drop-down menu. Select health_and_medicine from the Category drop-down menu. Add another rule.
- Select Domain from the Rule drop-down menu. Enter youtube.com in Value text box for the Domain. Click OK.
- The inline SSL profile is added.
- Set Up Network Access
- Click Next. The next step in the Workflow is Network Access. Click Configure Network Access.
- Select DHCP and DHCP Enabled for a specified GigaSMART module.
- Click OK. The network access is configured.
Note: To verify the Network Access configuration, you can do the Ping Test as follows:
- Navigate to GigaSMART > Inline SSL > Network Access.
- In the Inline SSL Network Access window, on the Ping Test section, enter or select the GigaSMART Port and IP Address/Host Name.
- Click Ping to run the ping test. The test results appears in the Ping Result box.
Next, complete the Inline SSL Map Workflow Steps (for Flow B)
- After completing the Inline SSL Configuration Workflow Steps, go to Workflows and select Inline SSL Map from the Inline GigaSMART Operations section.
- Set Up Inline Networks
- Select FLOW B.
- The first step in the Workflow is Inline Network(s). Select a default inline network from the Inline Network(s) drop-down menu. This is a protected inline network.
- Set Up Inline Tools
- Click Next. The next step in the Workflow is Inline Tool(s).
- Click Create Inline Tool. Then click Port Editor. In the Quick Port Editor, locate ports and select Type of Inline Tool from the drop-down menu. Click Enable for those ports.
- Click OK. The inline tool port is added. Click Close to exit the Quick Port Editor.
- Still under Inline Tool(s), enter an alias for the inline tool. Select Port A and Port B from the drop-down menus for the inline tool port pair. Under Configuration, ensure that Inline tool sharing mode is selected. Under Heartbeats, select Enable Regular Heartbeat.
- Click OK. The inline tool is configured.
- Create GigaSMART Group
- Set Up the Virtual Port
- Click Next. The next step in the Workflow is Virtual Port. Click Create to configure a virtual port.
- You cannot add multiple vports on the same gsgroup.
- Enter an alias for the virtual port, select the previously configured GigaSMART group, then select an Inline Failover Action.
- Click OK. The virtual port is added.
- Set Up the GigaSMART Operation
- Click Next. The next step in the Workflow is GS Operation. Click Create to configure a GigaSMART operation.
- Enter an alias for the GigaSMART operation, select the previously configured GigaSMART group, select Inline SSL as the GigaSMART Operation (GSOP), then select the previously configured Inline SSL profile.
- Click OK. The GigaSMART operation is added.
- Set Up the Inline Rule-Based Map
- Click Next. The next step in the Workflow is Inline Rule Based Map.
- Configure the inline rule-based map. This map directs traffic from the inline network to the inline tool, using a specified rule. It has the same source port as the inline first level map and the same destination port as the inline second level map. Enter an alias for the map, and select the map Type (Inline) and Subtype (By Rule), select the source inline network and the destination inline tool.
- Click Add a Rule to specify a map rule. Click Bi-directional, select IPv4 Protocol from the Rule drop-down menu, and select TCP from the Protocol drop-down menu. Select Port Destination from the Rule drop-down menu and enter 80 in the text box for Min.
- Click OK. The map is added.
- Set Up the Inline First-Level Map
- Click Next. The next step in the Workflow is Inline First Level Map.
- Configure the inline first level map. This map directs TCP traffic from the inline network to a virtual port (and to GigaSMART). Enter an alias for the map, and select the map Type (Inline First Level) and Subtype (Ingress to Virtual Port). Under Map Source and Destination, select the inline network as the source and the virtual port as the destination. Under Map Rules, click Add a Rule. Select IPv4 Protocol from the Rule drop-down menu, and select TCP from the Protocol drop-down menu.
- Click OK. The map is added.
- Set Up the Inline Second-Level Map
- Click Next. The next step in the Workflow is Inline Second Level Map.
- Configure the next map, which is the inline second level map. This map directs traffic from the virtual port, uses the inline SSL GigaSMART operation, and sends traffic to the inline tool. Enter an alias for the map and select the map Type (Inline Second Level) and Subtype (Egress from Virtual Port). Under Map Source and Destination, select the virtual port as the source and the inline tool as the destination, then select the inline SSL GigaSMART operation.
- Click OK. The map is added.
- Set Up the Collector Map
- Click Next. The next step in the Workflow is Collector Map (bypass).
- Configure a collector map for any unmatched traffic including non-TCP traffic, which is directed to bypass. Enter an alias for the map, and select the map Type (Inline) and Subtype (Collector), then select a Traffic Path of ByPass. Under Map Source and Destination, select the inline network as the source.
- Click OK. The map is added.